Pages

01/02/2017

Using a Cisco 887 Router as a VDSL Modem

I've had a Cisco 887 Router lying around gathering dust for a while and thought I'd put it to use as a VDSL Modem, replacing the existing Openreach box. In theory this will give me more visibility on line stats allowing me to do more logging and troubleshooting.



I tried it a while ago but had some MTU issues so it was banished back into storage. My ISP, Plusnet support 'Baby Jumbos' of 1508 Bytes which allows for a 1500 Byte frame + 8 Bytes of PPPoE overhead, so this time I configured the relelvant interfaces with a 1508 Byte MTU and its working nicely.

The configuration is pretty basic, partly due to limitations of the router. Ethernet0 (The DSL port) has a subinterface for Vlan 101 which is required by the VDSL infrastructure supplied by Plusnet / BT. Vlans 1 and 101 are transparently bridged to allow PPPoE passthrough, and I've added an IP on the bridge for management with some access lists for security.

The configuration is below. I can't make any guarantees it will work or it's secure, and I've redacted some of the sensitive information. Hopefully someone will find it useful or make suggestions for improvements.



! Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
! NAME: "887VA", DESCR: "887VA chassis, Hw Serial#: FCZ1650C2WR, Hw Revision: 1.0"
! PID: CISCO887VA-K9     , VID: V02, SN: FCZ1650C2WR
! 
! 
!
! Last configuration change at 00:49:24 UTC Tue Jan 31 2017
! NVRAM config last updated at 00:49:29 UTC Tue Jan 31 2017
! NVRAM config last updated at 00:49:29 UTC Tue Jan 31 2017
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname [Redacted]
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 [Redacted]

!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
no ip cef
ip domain name [Redacted]
ip name-server [Redacted]
ip name-server [Redacted]

no ipv6 cef
!
!
license [Redacted]
!
!
vtp mode transparent
username admin privilege 15 secret 4 [Redacted] 
!
controller VDSL 0
 operating mode vdsl2
 modem 0
 modem ukfeature
!
vlan 101 
!
ip ssh time-out 30
ip ssh authentication-retries 5
ip ssh version 2
ip ssh pubkey-chain
  username admin
  quit
! 
!
!
bridge irb
!
!
!
!
interface Ethernet0
 mtu 1508
 no ip address
 ip access-group 20 in
 no ip route-cache
!
interface Ethernet0.101
 encapsulation dot1Q 101
 ip access-group 20 in
 no ip route-cache
 bridge-group 1
!
interface ATM0
 no ip address
 no ip route-cache
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet0
 mtu 1508
 no ip address
!
interface FastEthernet1
 mtu 1508
 no ip address
!
interface FastEthernet2
 mtu 1508
 no ip address
!
interface FastEthernet3
 mtu 1508
 no ip address
!
interface Vlan1
 no ip address
 bridge-group 1
!
interface BVI1
 mtu 1508
 ip address 192.168.15.1 255.255.255.252
 ip access-group 10 in
!
ip default-gateway 192.168.15.2
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 BVI1 192.168.15.2
!
access-list 10 permit 172.18.0.0 0.0.0.255
access-list 10 permit 172.19.0.0 0.0.0.255
access-list 10 permit 172.17.0.0 0.0.0.255
access-list 10 permit 10.0.97.0 0.0.0.255
access-list 10 permit 10.0.128.0 0.0.31.255
access-list 10 permit 192.168.15.0 0.0.0.3
access-list 20 deny   0.0.0.0 0.255.255.255
access-list 20 deny   10.0.0.0 0.255.255.255
access-list 20 deny   100.64.0.0 0.63.255.255
access-list 20 deny   127.0.0.0 0.255.255.255
access-list 20 deny   169.254.0.0 0.0.255.255
access-list 20 deny   172.16.0.0 0.15.255.255
access-list 20 deny   192.0.0.0 0.0.0.255
access-list 20 deny   192.0.2.0 0.0.0.255
access-list 20 deny   192.168.0.0 0.0.255.255
access-list 20 deny   198.18.0.0 0.1.255.255
access-list 20 deny   198.51.100.0 0.0.0.255
access-list 20 deny   203.0.113.0 0.0.0.255
access-list 20 deny   224.0.0.0 15.255.255.255
access-list 20 deny   240.0.0.0 15.255.255.255
!
!
!
!
snmp-server community public RO
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login local
 transport input ssh
!
end

N.B I formatted the above with hilite.me

2 comments:

  1. I'm just about to do something similar, but due to a limitation on my firewall I'm keen for the Cisco to do the PPP hardwork.. do you know if you can get the Cisco to do the dial-in and just hand me a public IP on the other side?

    ReplyDelete
  2. Hi, I'm afraid I don't know. I'm not much of a Cisco expert, this was just bodged together from a couple of other guides online and I've since got rid of the router so I can't take a look.

    My hunch is you wouldn't be able to do what you're trying to achieve with a single IP address, as the IP usually terminates on the device handling the PPPoE, which in your case would be the Cisco.

    It looks like if your ISP gives you another subnet, you can use 'half-bridging' so one IP terminates on the PPP device, and the rest of the subnet is passed to a router behind it - https://rscc.co.uk/cisco-857-half-bridge-mode/


    I hope that helps.

    ReplyDelete